As cliche as it sounds, where has the time gone? Today we celebrate two years of Linux Malware Detect, open-source (web) malware detection.

The project has seen allot of change since the first release. What was initially started as an internal project to deal with a large increase in malware activity at my job, a mid-sized web hosting company, quickly grew into a larger, established, project that proved useful for the hosting community at large. I spent nearly three months collecting malware to form the base of the initial signature set, developing the program logic and engaging people in WHT & Cpanel IRC to test the early releases. Those first releases had less than 200 signatures, it was strictly MD5 based and used technique that were less than efficient and in many ways initially flawed.

As the project matured in it’s early releases, the reality of Linux (web) malware detection became evident, there was little to no tools that existed for the job and LMD was filling an important void. The few tools that did exist were either not focused on malware or were commercial solutions that made no effort to share malware signatures or resources with the Linux community at large. This quickly lead to a litany of feature requests for LMD along with a mountain of malware submissions from early adopters, all of whom saw in LMD what I saw; an ability to become an effective and crucial tool in combating malware.

Inside of the first couple of major releases, LMD saw an explosion of features and signatures which contributed to the maturity of the project. There were major additions such as hex based pattern matching, quarantine support, reporting system, real time inotify monitoring, malware checkouts, clean & restore features and much more. The signature base grew from 200 odd to now 8,388 at the time of this writing, an average of almost 350 new signatures per month.

The project now sits at version 1.4, which was released in April of 2011. Though the current release is 6 months old, that is by no means an indicator of the projects status but rather the success of it and the maturity there-in. The project still receives near daily signature updates, the malware queue from checkouts has never been more busy with an average of 85 malware submissions per day, the manual review queue for checkouts sits at just over 3300 files and is an ever challenging task to maintain but one I do willingly. Though there is much room for improvement and many features that can be added to LMD, at the moment there are no pressing features required by LMD. Do I have plans in store for the project in the short term? Yes, of course, but like many open source projects, time commitment to the project has to be balanced with my job and personal time so the priorities often shift between signature maintenance, feature development and work on other projects.

The success of the project can be measured by the 13,051 installations ( @ time of writing ) that report in daily, the 540+ new installations per month and the over 17,000 google references to the project. I am proud of LMD, where it has come in the last 24 months and am very encouraged by where I see it going in the future. I look forward to many years of success ahead for LMD and hope you will continue to trust in LMD to combat your malware threats.

9 Comments for this entry

Hi,
Great tool. I use it often. Forgive me if I overlooked an explanation on this, but I would love to contribute. Can I submit a patch? I see a few areas where minor improvements could be made. Let me know!
-kevin

by the way, what i want to change in a fork, is just some code cleaning. i want to make the spaces in the bash consistent, and remove some of the UUOC (useless use of cat) that we are all guilty of in bash scripts. I think it will help tremendously moving forward to go a head and clean some of those things up.

I welcome the contribution, I am currently working on the next version of LMD, if you submit your patch to ryan@rfxn.com I will be glad to include it and provide due credit in the change log / the corresponding blog post when it goes up.

I was curious, have you ever thought about adding this as an additional cPanel option for customers to be able to scan their own accounts but restricting it down to say something like a scan every 3hrs or even 24hrs.

We’ve had quite a few detections by Malware Detect and we are grateful for that as it saves us the hassles of manually checking or waiting for a site to be hacked before it even gets to us.